Revamped Verizon security report to help funnel funds into the right holes

Lia Timson

Cyber security threats vary according to industry sector, a report has found.

After analysing more than 63,000 security incidents that took place in 2013, Verizon's annual Data Breach Investigations Report, used by corporations and governments worldwide as a benchmark of cyber security, or lack thereof, has come to a new conclusion.

It's easier to make sense of cyber threats as they apply to each industry sector, a new report has found. Photo: Kacper Pempel

The 2014 edition released on Tuesday analysed more than 63,000 incidents and 1361 data breaches as reported by 50 organisations in 95 countries, including computer emergency response teams (CERTs) and law enforcement agencies.

Rather than isolating one or two main attack vectors, the analysis was able to pinpoint threats per industry, which the report co-author, senior data analyst Jay Jacobs, said would help those making security spending decisions.

The report found that those administering hotels and other accommodation, for example, ought not to worry about credit card skimming or other scams, because 75 per cent of the attacks levelled against them were aimed at point-of-sale terminals.

Mining companies, on the other hand, should concentrate their security efforts on guarding against espionage – the target of 40 per cent of attacks levelled at the sector – followed by internal misuse of information (25 per cent).

Advertisement

“It’s not surprising when you stop to think about it, but, if you look at the advice people get in the industry, it’s a very general, ‘do this, everybody’,” Jacobs told IT Pro. The whole point now is people can … hopefully prioritise their security spend.”

The report, originally prepared by the American telco using intelligence derived from its own clients, has grown to analyse data losses reported by myriad partners. This year it more than doubled in size to include security incidents worldwide, whether data was lost or not.

The company behind the report does not sell security products, but Jacobs can see how computer security vendors may use this year’s report to tailor, or repackage, products to different verticals.

“Maybe they’ll be packaged differently, but some of the things you can’t go and buy. Espionage, for example; trying to prevent an attack is very difficult to do. They need to [concentrate] on detection.”

Jacobs cautioned against reading too much into the high number of incidents of theft or loss of data in healthcare (40 per cent of all incidents in the sector), and misuse and human error in the public sector (58 per cent in total). These sectors have mandatory reporting resulting in a large number of relatively insignificant incidents.

Denial-of-service attacks and attacks levelled at web applications such as content management systems were found to be relevant to most sectors.

“In web apps, we saw attackers simply scanning the internet for vulnerabilities and dropping some software into it to report back to a command and control infrastructure.”